InBoxRevenge KS Forum

Well one suggestion is: let me know more details.

What browser are you running?

If it's firefox: check the error console / javascript console. What does it say?

What specifically is it doing?

That would be a start.

SiL

Thank you so much for taking the time to do this over the holiday.
Unfortunately I am having problems with this version, I am using Firefox 1.5.0.9 and get the error message "The requested URL /cart.php was not found on this server." after I have clicked on "order" after pasting the part of the url.
Greasemonkey and formfiller work OK as does the previous version of pharmacy expressorator, any ideas what I could be doing wrong?

I'd guess that's one of the old sites that don't use PHP yet. Try the new ones.

Yes I have tried 22rx.com 33rx.com and 44rx.com, also tested from a PC with an address that isnt banned (yet lol) and via proxies but still the same.
I was so disappointed that I have resorted to copy/paste the customer details from the expressorator and still made a few orders.

I was about to say the same but you neat me to it Crabby.
I'm trying to find another one that's working right now.
SiL, sorry the wife was dragging me out the door to go shopping so I couldn't give more info yesterday.
I'm using FF 2.0.0.1, running through TOR/Vidalia/Privoxy and using the NoScript extension.
It would get as far as the "Checkout" page but would not fill it out with the information. I've had previous versions working
as well as some of the other tools. I'm wondering if I screwed around with a setting somewhere which is the cause.
If I can find another site I'll keep working on it.

This is correct and that's why that first step has so many extra notes after it. There is a different retaliators for the "old" versions of this site.

As for the ones that just aren't placing the order: I need to know which site you're testing that on.

Thanx for the extra details folks.

SiL

P.S. Wow: we must have pissed someone off with this one. I am seeing a lot more bounces / backscatter today from spams sent using my Blue Security address as the reply-to...

Heh.

Must have made a dent already. They have again modified. Unfortunately I'm offline for the rest of today but I'll need to investigate some more tomorrow. They are now expecting several new parameters and they are randomly adding a subdirectory to the site itself. They definitely are attempting to protect against these attacks.

I expect that these modifications will become quite frequent. They're certainly aware of our attempts. I'm not stopping until they do.

Nice work folks. Lots of downloads of all the Pharmacy Expressorators(TM). Thanx so much for sending the fight back to the asshole spammers.

SiL

A one-line modification is enough to get the script working with the current 22/33/44rx.com sites. They have just moved their pages into an RXS directory so modifying the runme_php.html file as follows will get it working again:

In function startIt (a search on startit in Notepad will take you there on the second search - note I've had to asterisk SiL's "colourful" target ID since this forum replaces it with 'beep' ):
add the extra line at the end:The script should then work. For those not wishing to do the edits, I've uploaded an amended copy of runme_php.html at http://www.mytempdir.com/1175800 but if Pharmacy Express change their folder structure again, just visit the site normally to find the new value and change the p_domain line above accordingly.

Happy ordering!

Well it looks like they've ditched the subdirectory idea. The standard script should now work again.

I have javascript enabled for local files through the NoScript Firefox extension.

When I get to step 5 of the script to actually submit the order, I receive a "sorry, your cart is empty" error. If I try to manually submit orders to the site, I never get to the cart; pressing the "order" button doesn't do anything. I'm assuming this is all because I am not allowing javascript for this site ... is this the case?

I am definitely loathe to enable javascript for a website implemented by criminals. I don't have the javascript expertise to assess exactly what is happening when you press the "order" button.

Is it definitely safe to have javascript enabled for these pharmacy express sites? Isn't it possible the spammers could change the javascript at any time to add malicious code? Also, can someone walk me through the process of being able to determine what code is executing when the order button is pressed? If I can actually see the javascript code, I can probably understand what is happening ... I'm just not sure how to get there.

Thanks!

-IAmHe

That is what happened when they started using a subdirectory as per my post above. The 22/33/44rx sites did stop doing this but have now restarted - either update the Expressorator as detailed above or download the updated file.

In my experience, Javascript (and cookies) have never been needed for Pharmacy Express. Javascript can certainly be abused but as long as you avoid IE, such abuse is limited to irritating tricks (like 1,000 popups - which will be blocked by default in Firefox/Opera).

I had already made the edit to add the subdirectory when I wrote my query ... however, I just retried it and realized the problem I was having was my own stupid fault: when I was cutting-and-pasting the session ID from the URL, I was including the "&A=3" string (or whatever it was) that was appended at the end. Sorry!

Here's something else though. When I got it working, I made a number of submissions which appeared to be successful. However, I soon reached a point where every submission from that point on generated text that read something like, "Dear So and So, bank reports problem with your card, cannot process your order." I wonder if they're somehow detecting multiple submissions (via log, cookie, or whatever) from one machine. What do you think?

Thanks,

-IAmHe

Interesting. It's now five hours later, and I got exactly the same results: I was able to issue three orders, but the fourth one resulted in "Dear, Robert Pierce! Your order can't be processed. Bank reports: Your card cannot be authorized." I wonder what's up with that.

Just as an amusing aside: when the order is placed, you can see that they're not using SSL to place the order (as any reputable online merchant would), so would-be criminals with packet sniffers looking for credit card data would end up culling bogus information.

Yes, this happens when they start blocking your IP address. You'll need to switch to using proxies (Tor being one of the best choices since it regularly switches IP addresses, see this thread for details) to continue.

Just wanted to thank Strikeback for handling all the tech support. Your check is in the mail.

I am continuing to monitor these sites because they are making numerous radical modifications to how they process orders. I appreciate people reporting what they find on the modified sites. There's just too many changes for me to make one "catch-all" retaliation.

I fully expect they'll start obfuscating field names soon also. We must have really pissed them off.

Thanx folks.

SiL